Once upon a time, there was a hacker called “XXXX”.

Really! Well, sorta.

This is a story about hackers, corporate intrigue, international espionage, and AI, all rolled into one.

It’s also a story that relates to topics I have recently posted about. In particular, it’s about North Korea and well-handled incident response.

Let’s begin.

KnowBe4 is an information security company which focuses on the “human side of security”. They describe themselves as “the world’s first and largest New-school Security Awareness Training and simulated phishing platform”. The company was formed in 2010, which is really not long ago, but seems like forever in the cybersecurity world. KnowBe4’s earliest “splash” was probably the announcement that Kevin Mitnick was joining the company as part owner and “Chief Hacking Officer”. I won’t go down the “Mitnick” rabbit-hole, except to note that he was (to say the least) extremely well-known in the information security world, and to point to a two-part series on the (now defunct) podcast Malicious Life about him (Part 1 / Part 2).

As described by DarkReading, KnowBe4 was going through the process of hiring a software engineer for its internal AI team. As companies generally do, they reviewed candidates and selected the ones who best fit their needs, then went through several rounds of interviews before selecting their preferred candidate, referred to as “XXXX” in the article.

I’ll note here that, in the “before times” (ie, before COVID-19), it would have been quite unusual to hire someone without at least one in-person interview, but five years of video calls and the normalization of remote work (especially in the IT field) have changed all that.

Since they are a cybersecurity firm, KnowBe4 diligently ran standard background checks on XXXX, and verified that the person on the video interview matched the photo which was included with the profile.

Everything seemed just fine, so they shipped a corporate Mac workstation to XXXX and started with the onboarding process.

But, as you might suspect from all the hints and foreshadowing, things were far from fine.

On 15-July-2024, at 9:55 pm EST, KnowBe4’s SOC (Security Operations Centre) started receiving alerts for suspicious activities on XXXX’s workstation, and reached out to inquire about the situation. XXXX’s response was that they were trying to “troubleshoot a speed issue” on their router.

In fact, XXXX was apparently trying to install unauthorized software and files onto the workstation, including “infostealer” malware which could be used to try to access data in web browsers. Shortly afterwards, at around 10:20 pm EST, XXXX’s device was quarantined by the KnowBe4 SOC.

End of story?

No. This is where it gets interesting...

First of all, to be clear, this was not a breach of KnowBe4’s systems. The workstation was shipped with basic software, and required setup and configuration to allow access to corporate systems. When XXXX started trying to install unauthorized software and files, it was detected and the SOC was notified. They then responded appropriately, and quarantined the workstation after receiving suspicious responses from XXXX.

So... successful prevention of a breach?

Yes, but because KnowBe4 continued handling the incident well, they shared their information with Mandiant and the FBI. This is standard procedure for a well-run security team, as they are getting third parties to corroborate their results, and also notifying law enforcement.

The follow-up investigation found that XXXX was not actually XXXX. Or rather that the person KnowBe4 interviewed was not the person described on the profile/resume, even though the photo matched.

They discovered that the identity of the candidate was real, but the profile had been stolen and modified. In particular, the profile picture was subtly modified, by AI, to be consistent with XXXX. That’s why the standard background check found nothing amiss – the identity was real, but stolen.

Another interesting part of this is that the workstation was shipped to a location in the US, even though XXXX was traced to North Korea. In fact, the shipping location was an “IT mule laptop farm”, where a US-based person is hired to pick up the laptop, set it up for remote access, and then provide that access to the “client” – ie, XXXX.

So, XXXX is apparently a North Korean hacker (most likely part of a team), who stole a US-based identity, modified the photo to match their face, then went through the hiring process and was convincing enough to be hired by KnowBe4. On employment, the workstation was shipped to a US-based location, where it was picked up by someone and then set up at a laptop farm to allow remote access from North Korea. XXXX then started trying to install unauthorized software and files, but was detected by KnowBe4’s SOC and blocked before they were able to access KnowBe4’s network.

Everything that KnowBe4 did was “right”, but XXXX still got hired. That, arguably, makes them look bad, and there wasn’t really a breach of their system, so why would they go out of their way to tell people, as their founder, Stu Sjouwerman did on 23-July-2024?

While some media coverage made it sound like a breach disclosure, there was no breach. The announcement is better-described as a PSA (Public Service Announcement), where KnowBe4 highlights the need for layered defence, highlights weaknesses in current processes, and describes how they can be updated/enhanced. In my opinion, this makes them look very good, and enhances their credibility in the industry.

KnowBe4’s background checks and interview process are at or above what is standard in the industry, but someone got through. They have since made changes to their processes, which include only shipping new employee workstations in the US to a nearby UPS store, and then requiring picture ID to pick them up. There are almost certainly other changes, but I would not expect them to provide details.

On the hardware/software side, their defences seem to have been sound, but I’m sure they have been reviewed as well.

And then there’s the laptop farm, which appeared to have been found and shut down a few weeks later.

So, a good-news story in the sense that the North Korean plan ultimately failed and KnowBe4 provided a solid example of how to properly handle an incident like this. Another organization might have said nothing, then insisted that there was no breach, and would probably have ended up looking very bad. Everyone knows that there are many organizations out there.

That’s why it’s important to offer praise when it’s due, and commend KnowBe4 for handling this the right way.

It’s also a very disturbing story, in that there are certainly others like XXXX out there, quietly working for various companies.

What are they doing?

Providing income to the North Korean government? Yes.

Gathering corporate secrets? Gathering user and vendor data? Certainly.

Adding subtle bugs in systems to impair their efficiency and long-term viability? Possibly.

Adding malicious code to software, which can be used to compromise the company, or clients, or others? Think of SolarWinds, where Russian actors compromised dozens of companies and about a dozen government agencies.

Risks like this are the stuff of nightmares in InfoSec, and increasing awareness is vitally important, but the simple truth is that we need to acknowledge and understand our risk and develop strategies for addressing it. Things like Zero-Trust, SBOMs (Software Bill Of Materials), and code-signing, for example?

As I have asked before, who can you trust?

Cheers!